Don't Let the Cure Become the Disease: Granular Control Is the Only Answer to Security Woes Caused By Encryption

Encryption has gotten a bad rap lately, thanks to a rash of SSL (Secure Sockets Layer) security bugs that is expected to get even worse in coming years. Add to that the recent standoff between the FBI and Apple Inc. over the encrypted iPhone used by one of the San Bernardino terrorists, and it’s understandable why corporate decision makers have become increasingly nervous about the use of encryption.

But it’s important for IT security managers to reassure executives that encryption remains one of the most effective ways to protect data, while at the same time accepting that IT professionals can improve the standard way of addressing SSL issues. Rather than using tools to inspect and decrypt SSL messages indiscriminately, IT security professionals should instead leverage solutions that give them granular control over SSL traffic to decrypt data only when there’s a good reason to.

It is because of the effectiveness of encryption that many of the recent problems have occurred. The San Bernardino case, for instance, proved encryption can be so difficult to break that it seemed only Apple itself could get into the terrorist’s iPhone. Ransomware cases, in which cybercriminals lock up victims’ data and demand ransom to give users access back to their files, also prove how tough encryption is to break.

The problem is the misuse of encryption, which effectively turns the cure into the disease. That’s what happens when hackers exploit SSL bugs to break into networks – a practice that research firm Gartner says is getting worse. In 2017, more than half of cyber attacks on enterprises “will use encrypted traffic to bypass controls,” Gartner has predicted. In 2013, when Gartner made its dire forecast, such attacks accounted for less than 5 percent.

And just as hackers increasingly use encrypted traffic to bypass traditional cybersecurity solutions, hackers are choosing targets that give them the largest possible number of victims. So whether it is targeting Microsoft Windows users or exploiting vulnerabilities in widely used JavaScript downloader files to deliver malicious payloads, hackers are increasingly using SSL-encrypted traffic to stay hidden.

Hackers are becoming increasingly adept at sending threats through SSL traffic. ITProPortal recently listed five of these major “blind spot” threats: malware hidden in email or instant messages; malware distributed through social media; web app and DDoS (distributed denial of service) attacks; data exfiltration by insiders hiding the data in SSL; and malware communications between infected machines and command-and-control servers.

So we are left with organizations increasingly using encryption to protect their sensitive data but at the same time, facing an onslaught of encrypted attacks. The trick now is finding an effective way of preventing the cure from becoming the disease. One option that IT pros (including the author of the above ITProPortal blog) often suggest is to deploy tools that inspect and decrypt SSL traffic, but this approach can be problematic.

Decrypting SSL messages can violate privacy regulations in some cases, and some countries outlaw the practice. Allowing exceptions for regulated or BYOD traffic is one solution, but users get warning messages they don’t understand or administrators turn off SSL inspection, defeating its purpose.

The only answer is granular control of SSL traffic, so rather than decrypting all traffic indiscriminately, organizations can separately manage workgroup directories, parts of websites, domains and individuals. This way, decryption and inspection occurs only when necessarily to avoid productivity and compliance issues.

With the proper controls in place, organizations don’t have to fear encryption. Hackers can only succeed in exploiting encryption when organizations lack the right tools to fight back.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.